Comment: Where the CISO Should Sit

CISOs can be far more effective if they report to the CEO (or highest ranking risk officer) instead of the CIO, says Ed Adams

There is an interesting trend happening in the enterprise segment of chief information security officers (CISOs). More and more we see companies beginning to create this role within their organization or increase the power associated with the position. The goal is to equip CISOs with the ability to enforce change, with responsibilities that range from incident response, to IT compliance, to customer data privacy.

This is a good thing, right? Someone dedicated to the voice of the customer, ensuring organizations are doing all they can to protect their data? Maybe. It depends on where this role sits in an organization. The current trend of having the CISO report to the CIO doesn’t make sense because of the competing objectives of the two positions.

In response to the attacks against the PlayStation Network, Sony announced that it was creating a new CISO position, reporting directly to the CIO. It was encouraging that Sony realized it needed someone focused on data security but discouraging that the CISO would be reporting to the CIO. All I could think was ‘here we go again’.

However, last month, Sony announced that Philip Reitinger would serve as Sony’s new senior vice president and CISO and would report to the company’s executive vice president and general counsel. This is a huge step in the right direction because Sony is now aligning security and the CISO position with risk, liability, legal and compliance areas. This is the polar opposite of a CIO or CTO, whose responsibilities are all about efficiency, uptime and making things more accessible and faster. Sony got the right idea, and people are paying attention, which is a very good sign.

The CISO is often placed in the role of ‘negative’ use case owner. Their job is to think of ways that the organization’s sensitive information could be tampered with or stolen. This often competes with the interests of the chief information officer. CIOs are typically responsible for the information technology and systems that support enterprise operations. They need these technologies to be high performing and feature rich, and security often crimps that style.

These competing interests are also why the CISO position doesn’t exist at all in some organizations, or the role is reduced to a powerless figurehead. In these organizations, information security falls under the responsibilities of the CIO (or worse, the chief security officer)…but that’s an argument for another time.

CISOs usually view IT infrastructure and components as liabilities instead of assets. This gives them the freedom to present business protection measures to the board. However, security can only be considered from a corporate risk perspective if it’s part of the risk management process.

If I were CEO of a multinational enterprise, I would place my CISO reporting to the most senior risk executive in the company and have that person report to me. This creates a nested risk-based approach to data/information protection. For example, application security becomes part of a larger information security group, which is part of a larger risk group that is responsible for assessing and mitigating risk in the context of business continuity and operations.

Security and risk are elements of every person’s job. The group that is “responsible” for security has the charter of assuring the dissemination and absorption of those security/risk elements. This group must make it part of the organization’s culture vs. the group doing all the security work itself. This would be my yin to the CIO and IT yang of faster, cheaper, more efficient automation of data management.

Hopefully someone in the Obama administration will see the light. The Sony example is analogous to the failings of Obama (and Bush before him) to recruit and maintain an impactful Cybersecurity Czar – the CISO for the US federal government.

The Czar reporting structure is inconsistent with the role having any authority. The National Security Agency (NSA) still holds responsibility for cybersecurity, and until this changes (or until the Cybersecurity Czar reports directly to NSA), the Czar will be mainly a figurehead position. The Cybersecurity Czar can write all the policies and make all the speeches they want, but they have no authority to drive meaningful change because the NSA isn't accountable to the Czar's policies.

US Congressman Jim Langevin’s (D-RI) proposed bill is on the right track. I like it because it changes the reporting structure. It makes real accountability measurable for all agencies and contractors, and creates a position reporting to the president that will oversee and influence the work of the Department of Homeland Security – the group directly accountable for implementing and assuring the new cybersecurity measures and requirements. It even calls for punitive measures for compliance failures, as well as regular audits and monitoring (not just paper audits) to make measurement more automated and frequent.

The industry is moving in the right direction, and companies are beginning to understand the importance of IT security and the role it plays in data protection. However, until the person responsible for information security is given the power and authority to affect meaningful change, we need to be knowledgeable of the threats that exist and do everything in our power to mitigate those threats and protect our business’ data.

Ed Adams, president and CEO of Security Innovation, is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks.

Adams founded the Application Security Industry Consortium, Inc. (AppSIC), a non-profit association of industry analysts, enterprise technologists, and security leaders established to define cross-industry application security metrics and best practices. The non-profit eventually morphed into SAFECode, at which point he became more engaged with other industry initiatives, including OWASP. Adams is on the board of the National Association of Information Security Groups (NAISG), as well as the Massachusetts North Shore Technology Council (NSTC.)

Adams has presented to thousands at numerous seminars, software industry conferences, and private companies, and in addition, has contributed written and oral commentary for numerous business and technology media outlets. Adams earned his MBA with honors from Boston College and has BA degrees in mechanical engineering and English literature from the University of Massachusetts.